v t
01/13/2006 16:45 FAX 8586785099
FISH AND RICHARDSON
11)004
Attorney's Docket No,: 10559-755001/P13653
Intel Corporation
Amendment to the Claims :
This listing of claims replaces all prior versions, and
listings, of claims in the application:
1. (original) A machine- implemented method comprising:
receiving requests for network communication services from
an invoked application;
selectively designating each of thrs received requests as
authorized or unauthorized based on an application-specific
network policy; and
monitoring inbound network communications , based on the
authorized requests, to detect an intrusion.
2. (original) The method of claim 1, wherein monitoring
inbound network communications comprises:
blocking the inbound network communications that fail to
correspond to an authorized request; and
monitoring the blocked inbound network communications to
detect an intrusion.
3. (original) The method of claim 2, wherein monitoring
the blocked inbound network communications comprises:
examining the blocked inbound network communications to
detect an intrusion prelude;
2
PAffi 4/26 f RCVD AT 1/13/2006 7^3:25 PM [Eastern Standard Timel 1 SVR:USPTO»EFXRF-6/24 * DNiS:27M300 * CSID:8586785099 * DURATION ^nm«ss):16»10
01/13/2006 16:46 FAX 8586785099 FISH AND RICHARDSON ©005
Attorney's Docket NO- : 10559-755001/P13653
Intel Corporation
identifying a source for a detected intrusion prelude; and
initiating monitoring of inbound network communications
from the identified source.
4. (original) The method of claim 3, wherein examining the
blocked inbound network communications comprises checking for
patterns spanning multiple communications «
5. (original) The method of claim 4, wherein monitoring
the blocked inbound network communications further comprises
generating fabricated responses to the blocked inbound network
communications .
6. (original) The method of claim 3, wherein the
monitoring of inbound network communications from the identified
source comprises checking the inbound network communications
from the identified source for packet-level exploits.
7. (original) The method of claim 1 # further comprising
increasing a monitoring level for network communications for the
invoked application in response to one or more unauthorized
requests.
3
PAGE 5/26 * RCVD AT 1/13/2006 7:43:25 PM [Eastern Standard Time] ' S VR: USPTO-EFXRF-6/24 1 DN1S:27$3Q0 1 CSID:8586785099 ' DURATION (mm-ss):1(M 0
01/13/2006 16:47 FAX 8586785099 FISH AND RICHARDSON @)006
Attorney's Docket No.: 10SS9-755OO1/P13653
Intel Corporation
8. (original) The method of claim 7, wherein increasing a
monitoring level for network communicat Lons for the invoked
application comprises initiating monitoring of the network
communications for the invoked application using an application-
specific intrusion signature.
9. (original) The method of claim 8, further comprising
identifying the invoked application by t*xamining a set of
instructions embodying the invoked application.
10. (original) The method of claim 9, wherein monitoring
of the network communications for the invoked application
comprises monitoring in an intrusion detection system component
invoked with the invoked application.
11. (original) The method of claim 10, wherein the
intrusion detection system component and the invoked application
run within a single execution context.
12. (original) The method of claim 9, wherein examining
the set of instructions comprises:
applying a hash function to the set: of instructions to
generate a condensed representation; and
4
PAGE 6(26 1 RCVD AT 111312006 7:43:25 PM [Eastern Standard Time] * SVR:USPTO-EFXRF-6i24 1 DNIS:2738300 * CSID:8586785099 1 DURATION (mm-ss):16»10
01/13/2006 16:47 FAX 8586785099 FISH AND RICHARDSON 12)007
Attorney's nocket No.: 10559-755001/P13653
Intel Corporation
comparing the condensed representation with existing
condensed representations for known applications .
13. (original) A machine- implemented method comprising:
identifying an invoked application;
receiving requests for network communication services from
the invoked application ;
selectively designating each of th^ received requests as
authorized or unauthorized based on an application-specific
network policy;
blocking inbound network communications that fail to
correspond to an authorized request;
monitoring the blocked inbound network communications to
detect an intrusion; and
initiating monitoring of network communications for the
invoked application using an application-specific intrusion
signature in response to one or more unauthorized requests.
14. (original) The method of claim 13, wherein monitoring
the blocked inbound network communications comprises:
examining the blocked inbound network communications to
detect an intrusion prelude ;
identifying a source for a detected intrusion prelude; and
5
PA(2 7/26 * RCVD AT 1/13Q006 7:43:25 PM [Eastern Standard Time] * SVR:USPTO*FXRF4/24 * DWS:2738300 1 CSID:8586785099 * DURATION (mn«s):16-10
01/13/2006 16:48 FAI 8586785099 FISH AND RICHARDSON 0008
Attorney's Docket No.: 10559-755001/P136S3
Intel corporation
initiating monitoring of inbound network communications
from the identified source.
15. (original) The method of claim 14, wherein identifying
the invoked application comprises examining a set of
instructions embodying the invoked application.
16. (original) The method of claim 15, wherein examining
the blocked inbound network communications comprises checking
for patterns spanning multiple communication.
17. (original) The method of claim 16, wherein monitoring
the blocked inbound network communications further comprises
generating fabricated responses to the blocked inbound network
communications .
18. (original) The method of claim 15, wherein monitoring
of inbound network communications from the identified source
comprises checking the inbound network communications from the
identified source for packet-level exploits.
19. (original) The method of claim 18, wherein examining
the set of instructions comprises:
6
PAGE 806 a RCVD AT 1/13/2006 743:25 PM [Eastern Standard Time] # SVR:USPTO€FXRF-6f24 a DriIS:2738300 1 CS!D:8586785099 * DURATION (mnfK5S):1M0
01/13/2006 16:48 FAI 8586785099 FISH AND RICHARDSON @009
Attorney's Docket No. 5 10559-755001/P13G53
Intel Corporation
applying a hash function to the set: of instructions to
generate a condensed representation; and
comparing the condensed representation with existing
condensed representations for known appiieations .
20. (original) The method of claim 19, wherein monitoring
of the network communications for the invoked application
comprises monitoring in an intrusion detection system component
invoked with the invoked application.
21. (original) The method of claim 20, wherein the
intrusion detection system component and the invoked application
run within a single execution context -
22. (original) A system comprising;
an application network policy enforcer, which services
network requests from an application invoked on a machine,
identifies the network requests that fail to satisfy an
application-specific network policy, and identifies the network
requests that satisfy the application-specific network policy;
a network traffic enforcer, which blocks inbound network
traffic that does not correspond to the network requests
7
PAGE 9/26 * RCVD AT 1/13f2006 7^3:25 PM [Eastwn Standard Time] ' SVR:USPTO€FXRF-e/24 s DN1S:2738300 s CSK):85S6785099 a DURATION (nm^s): 16-10
01/13/2006 16:49 FAX 8586785099 FISH AND RICHARDSON ElOlO
Attorney's Oocket tfo. : 10SS9-755001/P13653
Intel Corporation
identified by the application network policy enforcer as
satisfying the application- specific network policy; and
an intrusion detector, which responds to the network
requests identified by the application network policy enforcer
as failing to satisfy the application-specific network policy,
and which responds to the inbound network traffic blocked by the
network traffic enforcer.
23. (original) The system of claim 22, wherein the
intrusion detector comprises:
a first component that responds to the network requests
identified as failing to satisfy the application-specific
network policy by monitoring traffic for the invoked
application, wherein the first component shares a software
module with the application network policy enforcer; and
a second component that responds to the blocked traffic by
monitoring traffic for an identified source of an intrusion
prelude detected in the blocked traffic, wherein the second
component shares a software module with the network traffic
enforcer.
24. (original) A system comprising:
8
PAGE 1 0/26 ' RCVD AT 1/13/2008 7:43:25 PM [Eastern Standard Tone] 1 SVR:USPTO€FXRF-6/24 ft DNIS:2738300 t CSID:8586785099 t DURATION (mm-ss):1M0
01/13/2006 16:50 FAI 8586785099 FISH AND RICHARDSON ©Oil
Attorney's Oocket No.* 10559-755001/P13653
Intel Corporation
means for servicing network requests from an application
invoked on a machine;
means for authorizing the network requests using an
application- specific network policy;
means for blocking traffic that does not correspond to an
authorized request;
means for monitoring blocked traf f Lc to identify an
intrusion prelude and to identify abnormal application behavior?
means for detecting an intrusion in response to an
identified intrusion prelude; and
means for detecting an intrusion in response to identified
abnormal application behavior.
25. (original) The system of claim 24 , wherein the means
for detecting an intrusion in response to an identified
intrusion prelude comprises means for detecting packet-level
exploits for traffic from an identified source of the identified
intrusion prelude, and wherein the means for detecting an
intrusion in response to identified abnormal application
behavior comprises means for detecting application- specific
intrusion signatures for traffic corresponding to an abnormally
behaving application, the system further comprising:
9
PAGE 11/26 1 RCVD AT 1/13/2005 7:43:25 PM [Eastern Standard Time] ' SVR:USPTOff XRF-6/24 * DN1S:2738300 * CSID;8M678M99 * DURATION (mm-ss);1M0
01/13/2006 16:50 FAX 8586785099 FISH AND RICHARDSON @012
Attorney's OoaKet tfo. x 10559-755001/P13653
Intel Corporation
means for generating a fabricated response to blocked
traffic to gain knowledge about a potential intruder; and
means for responding to a detected intrusion.
26. (original) A machine -readable medium embodying machine
instructions for causing one or more machines to perform
operat i one compr i s ing :
identifying an invoked application;
receiving requests for network comiaunication services from
the invoked application;
selectively designating each of thr* received requests as
authorized or unauthorized based on an application-specific
network policy;
blocking inbound network communications that fail to
correspond to an authorized request;.
monitoring the blocked inbound network communications to
detect an intrusion; and
initiating monitoring of network communications for the
invoked application using an application- specific intrusion
signature in response to one or more unauthorized requests.
10
PAGE 1 2/26 1 RCVD AT 1/1 3/2006 7:43:25 PM [Eastern Standard Time] s SVR:U»>TO-EFXRF-6/24 " DNiS:2738300 ' CSID:858678»)99 ' DURATION (mm-ss): 16-10
01/13/2006 16:51 FAX 8586785099 FISH AND RICHARDSON ©013
Attorney's Docket No. s 10559-755001/P13653
Intel Corporation
27. (original) The machine-readable medium of claim 26,
wherein monitoring the blocked inbound network communications
comprises :
examining the blocked inbound network communications to
detect an intrusion prelude ;
identifying a source for a detected intrusion prelude; and
initiating monitoring of inbound network communications
from the identified source.
28. (original) The machine -readable medium of claim 27,
wherein identifying the invoked application comprises examining
a set of instructions embodying the invoked application.
29. (original) The machine -readable medium of claim 28,
wherein monitoring of inbound network communications from the
identified source comprises checking thi; inbound network
communications from the identified source for packet-level
exploits.
30. (original) The machine -readable medium of claim 29,
wherein examining the set of instructions comprises;
applying a hash function to the sen of instructions to
generate a condensed representation; and
11
PAGE 13/26 1 RCVDAT 1/13/2006 7:43:25 PM [Eastern Standard Time] 1 SVR:USPT05)®F-6/24 ' DM8:2738300 1 CSID:858fi785099 * DURATION (mnBS):1M0
01/13/2006 16:51 FAX 8586785099 FISH AND RICHARDSON 12)014
Attorney's Docket No. ; 10559-755001/P13653
Intel Corporation
comparing the condensed representation with existing
condensed representations for known applications.
31. (original) A machine -implemented method comprising:
blocking inbound network communications that fail to
correspond to a network policy;
detecting a potential intrusion prelude from the blocked
inbound network communications;
selectively generating a fabricated response to the
detected potential intrusion prelude; and
receiving information about a potential intruder in
response to the generated fabricated response.
32, (original) The method of claim 31, wherein the network
policy comprises an application- specif ic network policy, the
method further comprising:
receiving requests for network communication services from
an invoked application;
selectively designating each of th<» received requests as
authorized or unauthorized based on the application-specific
network policy;
monitoring the blocked inbound network communications to
detect an intrusion; and
12
PACE 14/26 1 RCVD AT 1/13/2006 7:43:25 PM [Eastern Standard Time] ' SVR:U$PTO-ff XRF-6/24 1 DN1S;2738300 1 CSID:858678M89 ' DURATION (mnws);1(M0
01/13/2006 16:52 FAX 8586785099
FISH AND RICHARDSON
@015
Attorney's Docket No.: 10559-755001/P13653
Intel Corporation
associating the information about the potential intruder
with a detected intrusion.
33. (original) The method of claim 32, wherein monitoring
the blocked inbound network communications comprises:
examining the blocked inbound network communications to
detect an intrusion prelude;
identifying a source for a detected intrusion prelude; and
initiating monitoring of inbound network communications
from the identified source.
34. (new) The method of claim 13, wherein the application-
specific intrusion signature is loaded from a central security
server.
35. (new) The machine- readable medium of claim 26, wherein
the application-specific intrusion signature is loaded from a
central security server.
13
PAGE 15/26 1 RCVD AT 1/13/2006 7:43:25 PM [Eastern Standard Time] * SVR:USPTO£FXRF-6/24 1 DMS:2738300 1 CSiD:8586785099 1 DURATION (mnws);1M0